MSAL.Net in PowerShell – Use .pfx file for Client Credentials Flow

This post will show you how to authenticate for the client credentials flow in PowerShell with MSAL.Net using the .pfx file for the certificate authentication instead of loading the certificate from the certificate store. This post is in part based on this: Using PowerShell to Configure a signing certificate for a SAML-based SSO enterprise application Also, special thanks to my team members Bac Hoang and Will Fiddes for assisting with…

Read More

What’s the security implication of changing the default client type from confidential to public in Azure AD?

From time to time, I get asked this question by a few different customers especially when they encounter the error “AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’” when authenticating to Azure AD. The error is related to the following Default client type setting in the Authentication blade of a registered application: By default the setting is set to No (confidential client). Changing to ‘Yes’ converts…

Read More

Using PowerShell to configure a signing certificate for a SAML-based SSO Enterprise Application

In my last blog post I talked about how to use PowerShell to instantiate an MSAL Confidential Client Application to acquire an access token using Client Credentials Grant flow. In this post we will use PowerShell to instantiate an MSAL Public Client Application to perform an Authorization Code Grant flow to obtain a delegated permission Access Token for Microsoft Graph. We will then use that access token to call Microsoft…

Read More

Using MSAL.Net to perform the client credentials flow with a certificate instead of a client secret in a .NetCore console appliction.

The sample files for this post can be found in this GitHub repository: https://github.com/RayGHeld/NetCore_ClientCredentials_withCert There is also a Powershell script there to create a certificate for this sample. You can perform the OAuth2 client_credentials grant flow to sign in as an application for your automated type of services. This flow does not require an interactive user to authenticate and should only be run in secure environments. There are 2 methods…

Read More

Where is all the Azure Active Directory for developers (v1.0) documentation?

Where is all the Azure Active Directory for developers (v1.0) documentation? Azure Active Directory (Azure AD) is a cloud identity service that allows developers to build apps that securely sign in users with a Microsoft work or school account. If you have been developing your apps using Azure Active Directory for developers (v1.0), typically ADAL, you might have noticed that it is getting harder to find related documentation. This is…

Read More

Using PostMan to request an Azure AD token via SAML Assertion Grant flow

Azure Active Directory (Azure AD) supports an OAuth2 Extension Grant called “SAML Bearer Assertion flow” which allows an application to request an JWT OAuth2 token from Azure AD by providing a SAML Assertion (Token) acquired during an authentication process to a different Authorization Server. As you can imagine in order for this token exchange mechanism to happen, a trust relation between Azure AD and that Authorization Server must have already…

Read More

Configure .Net Application to call Microsoft Graph in a National Cloud Tenant

When authenticating with Azure and making a Microsoft Graph request, for commercial tenants, this is all done with the .com endpoints ( https://login.micorosoftonline.com/… and https://graph.microsoft.com ) and your token audience is for the .com endpoint as well. However, when performing the requests against a National Cloud tenant, you must use the appropriate endpoints. In this article, I will show you how to configure the Microsoft Graph .Net SDK in a…

Read More

Implement Client Credentials flow for Graph Java Client

In my previous article , I showed you how to modify our great Graph Client for Java sample to add some additional options for things like filtering, setting the max retries for 429 errors, etc.  That sample uses the Oauth2 Device Code flow.  In this article, I will show you how to convert that and use the Client Credentials Flow.  Although, you will not be able to retrieve the same…

Read More

Using PowerShell to get Azure AD audit logs

In my previous blog, I talked about how to use PowerShell with Microsoft Graph Reporting API. In that blog, I used the Client Credentials grant flow to acquire an access token for Microsoft Graph against the V1 endpoint. Also the code sample in that blog only works if all the reporting data result set is small. In this blog I’ll discuss how to get a Microsoft Graph access token using…

Read More

Receiving error WIF10201: No valid key mapping found for securityToken

Customer has an ASP.Net MVC application using both WS-Federation OWIN middleware and Windows Identity Foundation (WIF) to authenticate to Azure AD. The application works fine initially and then fails with the following error: Error Details:Server Error in ‘/’ Application.WIF10201: No valid key mapping found for securityToken: ‘System.IdentityModel.Tokens.X509SecurityToken’ and issuer: ‘https://sts.windows.net/<Directory ID>/’. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for…

Read More